EdTech pioneers must take care in the processing of the vast amount of personal data in their hands.

Education has always been an important part of our lives. Our grades in school are mainly based on our achievements on the regular school assessments. These numbers often affect our future, but are they accurate? Each student has his or her own approach to learning and different strengths and weaknesses. However, until recently, we all studied the same thing in the classroom and were subject to identical assessments, which often resulted in negative impact on our grades.

Adaptive learning

New technologies drastically transform the way we learn. Adaptive learning is an emerging and revolutionary tool that tailors education and aims to improve learning and students' results on the basis of a "trial and error" principle. In the world of adaptive learning, how and what people learn matters. Adaptive learning allows accurate tracking of the students' learning patterns, which helps in shaping the content of lessons based on the learner’s needs. Adaptive learning relies on computers to adapt the educational material depending on the data provided by the student, and it therefore collects and analyses vast amount of data for the sake of meeting the 'adaptive' criteria. This inevitably involves Big Data, another term lacking a fixed definition.

The Big Data phenomenon

Big Data is an emerging topic, subject to much discussion across various fields, yet without a conclusive formula for legal compliance in respect of its use. Big data does not always involve personal data, but it often does. Organisations focusing on adaptive learning naturally accumulate a vast amount of data about their users (including personal data), and tend to find correlations between datasets, respectively they often link identification data (such as name and age) with Big Data (such as tracking learners' experiences, the learner’s interactions, the amount of time spent etc.), in order to establish the learner's profile, evaluate its abilities and adjust the methodology of learning. By doing that in Europe, these organisations are crossing the borders into the European Data Protection Legislation, because such use of data is actually "processing of personal data" within the meaning of the EU Data Protection Directive 95/46/EC (the "EU Directive").

The EU data protection milestones

The EU Directive regulates the processing of personal data within the European Union, and it is centred on several fundamental principles, which we outline below. Again, since this technology collects users' personal data, organisations acting within the EU adaptive learning front must process all personal data in compliance with those principles and consider them at the earliest stage of development of their projects. It is recommended that companies use the "privacy by design" approach by developing, from the start, their data protection strategy and privacy policy in line with the EU data protection principles. Otherwise, companies may have to change their strategy at a later stage, which may accumulate significant costs and lead to delays in implementation of the adaptive learning project.

1. Use personal data fairly and lawfully

The learners must know what is going to happen to their personal data. Be transparent. Prior to the use of the personal data, explain how personal data will be used, as well as what the implications and benefits for the learners will be as a result of such use. Many companies rely on their privacy policies to achieve that goal. Create "user friendly" privacy policy. Be innovative and use means that would facilitate the users – at the end of the day they are the clients.

2. Use the personal data for specific, explicit and legitimate purposes

Determine the purposes for processing personal data at the earliest possible stage, and inform the learners about why their personal data will be used. Big Data in the 'adaptive learning' context sometimes involves repurposing of personal data. If you collect personal data for one purpose and then you wish to use the data for completely different purpose, communicate that with the learners in advance.

3. Use only personal data that you actually need

Identify what personal data you need for your project. Refrain from using an excessive amount of personal data just in case you might need it in the future.

4. Use accurate personal data

Ensure that you collect accurate personal data for the purposes of the project. The personal data must not be incorrect or misleading. Any personal data found to not comply with such criteria should be erased or rectified.

5. Do not retain data for too long

Keep data only for as long as you actually need it. Personal data must not be kept for longer than absolutely necessary. If you wish to keep data for a longer period of time, consider using anonymous data (personally identifiable elements removed).

6. Use appropriate security measures

Keep the data secure. Considering the increasing number of data breaches that have shaken the reputation of affected organisations, it is essential to implement adequate security measures for the protection of the processed personal data.

Personal data from adaptive learning projects is a rather delicate matter, as the personal data could concern children and/or point to the direction of the learner's life in terms of education and career advancement. The rich trove of personal data collected, which naturally happens as the learner interacts with the system, provides a tempting ground for improper use both by the organizations providing the adaptive learning and the third parties involved. The main purpose of adaptive learning is to benefit the learner educationally and career-wise; this advocacy role requires that system be designed to protect the user to the upmost against harmful outcomes that could occur if his or her personal data is not adequately used and protected. After all, the learner is, in many ways, baring his or her soul by using the system over time, and naturally expects the provider to keep secure the personal data gathered and generated via Big Data processing.

The fundamental rules of data protection envisaged by the EU Directive should be used as a roadmap for finding the appropriate direction in implementing 'adaptive learning' projects. However, they are certainly not sufficient for establishing a proper data protection strategy. On that note, EU member states are, to a certain extent, free to decide how to implement the EU directive and, as a result, there are many inconsistent national laws that must be considered while processing personal data across Europe. The need to urgently fill that gap emerged with the exponential advancement in new technologies and led to data protection reforms. A new, modern law has been proposed, namely: the General Data Protection Regulation (the "GDPR").

Crossing the borders of the GDPR - Direction towards more robust rules

The GDPR is facilitating businesses by replacing numerous existing national laws; however, it introduces significantly higher sanctions heading toward 4% of the total worldwide annual turnover. The GDPR has not yet been adopted, but its arrival is expected in the middle of 2016. Companies will have two years after its formal adoption to get on track with the new rules.

The GDPR introduces various additional concepts that must be observed by companies while processing personal data for the implementation of an adaptive learning project. However, the EU data protection principles will continue to serve companies as a data protection legal framework, which is another indication of their importance. Moreover, the GDPR strengthens these principles even more. The GDPR introduces the "right to be forgotten" that would allow the learners to request erasure of their data if the latter is no longer necessary for the purposes which the data have been collected or used. The concept of transparency in communication with the individuals, the "privacy by design" approach, and the processing of only the necessary amount of data are indeed refreshed and strengthened by the GDPR. If not considered from a legal and technical standpoint initially, these requirements could cause adaptive learning organisations and providers immense headaches to comply with at a later stage. The GDPR is noticeably shifting the power towards the individuals by giving them the right to not to be subject to profiling.

The GDPR will be a game-changer for businesses, and not necessarily in their favour. The fragile field of adaptive learning is not an exception. Inevitably the opportunities and challenges found at the intersection of adaptive learning and the GDPR will reward nimble companies that are able to navigate these uncertain waters while, at the same time, present significant obstacles to those that plough on oblivious to the changing landscape in global education, technology and data protection.